The cybersecurity executive order contains suggestions considered good ideas by experts, including holding agency heads accountable for cybersecurity.

“President Trump’s cybersecurity executive order (EO) addresses the right areas of concern – updated federal systems, critical infrastructure, deterrence, workforce education, and more,” said Eddie Habibi, chief executive and founder of Houston-based PAS. “Thankfully, the executive branch continues to emphasize securing critical infrastructure as a high priority. Focusing on securing the industries that produce gasoline for our cars, keep the lights on in our houses, and make the chemicals in our everyday household products has everything to do with protecting our nation’s economy, environment, and national security. And protecting the nation’s critical infrastructure begins with securing the industrial control systems (ICS) that automate the production and ensure the safety of power and process facilities.”

“Even with this long awaited executive order, the essential priorities of cybersecurity remain the same. We know that maintaining a critical set of foundational controls is a proven strategy for minimizing the attack surface and reducing risk of cyberattack,” said Tim Erlin, vice president of product management and strategy at Tripwire. “Even the most elaborate cybersecurity program can ultimately fail if it doesn’t get the basics right. It’s a positive sign to see the executive order address foundational controls like vulnerability management and secure configuration management.

“With cybersecurity concerns on the rise, it’s important for the government to set a strong example,” he said.

In the past, agency leaders often demurred to IT staff when problems arose.

A common criticism in the Senate is the U.S. lacks a guiding strategy for cyber defense, beyond making ad hoc decisions. It’s a complaint that dogged the Obama administration and was beginning to catch up to the Trump administration as well.

The executive order begins the process of developing one, and within 90 days a bevy of agencies will produce options for development.

Agencies will now follow the National Institute for Standards and Technology (NIST) framework — a flexible set of guidelines developed by NIST, a part of the Department of Commerce. The guidelines were developed to be adaptable to any organization and are currently popular in the private sector.

“Unfortunately, NIST does not provide specific guidance on how to solve problems, only on pointing out the problems to be solved,” said Philip Lieberman, president of Los Angeles-based Lieberman Software. Some of their guidance is a little off-base and not helpful – for example, they recently put out a report stating that they no longer believe that users should change their passwords regularly.”

The executive order tasks the departments of Commerce, Homeland Security, Defense, Labor and Education and the Office of Personnel Management with developing a plan to bolster the cybersecurity workforce. Homeland Security is also instructed to do wide audits of critical infrastructure for security.

A key feature of the order is emphasizing risk management. Homeland Security and the Office of Management and Budget will end up charged with developing continuing regular audits to evaluate risk and whether budgetary constraints are adequate to meet that risk.

The order further prioritizes the modernization of federal networks and systems.

“Effective immediately, it is the policy of the executive branch to build and maintain a modern, secure, and more resilient executive branch IT architecture,” the order reads.

“We were particularly encouraged to see deterrence take a front seat in the EO. Attacks – especially from nation-sponsored groups – have become so commonplace that the Associated Press recently changed their definition of a cyber attack to include only ones that result in physical damage or widespread destruction,” Habibi said. “They did this, in part, so the public does not become inured to the ongoing risk we face as a country. The reason these attacks are commonplace is that they have little consequence for the attackers. The federal government has a role in raising the bar on consequence. A nation-state cyber attack on the industrial control systems in a refinery that results in physical damage or injury is no different from dropping a bomb on that refinery. So long as attribution is clear, consequences must include the option of a proportional kinetic response. An orchestrated cyber attack on a volatile industrial facility can have the same result as a tactical WMD, which means we need to start treating it as such.”